Cryptology ePrint Archive: Report 2021/930

Darlin: Recursive Proofs using Marlin

Ulrich Haböck and Alberto Garoffolo and Daniele Di Benedetto

Abstract: This document describes Darlin, a succinct zero-knowledge argument of knowledge based on the Marlin SNARK (Chiesa et al., Eurocrypt 2020) and the `dlog' polynomial commitment scheme from Bootle et al. EUROCRYPT 2016. Darlin addresses recursive proofs by integrating the amortization technique from Halo (IACR eprint 2019/099) for the non-succinct parts of the dlog verifier, and we adapt their strategy for bivariate circuit encoding polynomials to aggregate Marlin's inner sumchecks across the nodes the recursive scheme. We estimate the performance impact of inner sumcheck aggregation by about 30% in a tree-like scheme of in-degree 2, and beyond when applied to linear recursion.

Category / Keywords: cryptographic protocols / R1CS, SNARKs, recursive proofs, aggregation schemes

Date: received 8 Jul 2021, last revised 1 Oct 2021

Contact author: ulrich at horizenlabs io, alberto at horizenlabs io, daniele at horizenlabs io

Available format(s): PDF | BibTeX Citation

Note: Additional appendix on domain extension/segmentation of linear polynomial commitment schemes. A more complete explanation of our benchmarks.

Version: 20211001:134654 (All versions of this report)

Short URL: ia.cr/2021/930


[ Cryptology ePrint archive ]